You can choose a password length of not more than 50 characters. Do not forget to switch keyboard layout to the English. Do not choose a password too simple, less then 4 characters, because such a password is easy to find out. Allowed latin and [email protected]#$%^&*()_-+=., characters

Wicked phishing pictures

It would be true to say that everything new is well forgotten old.

A feature to embed remote resources (such as images from other websites) on the page of your website is a very bad practice that at some point may lead to quite serious consequences for the website. As far back as 10 years ago, I was surprised to read about that possibility. Now after 10 years nothing changed, and it seems that it hardly ever will change.

Theory and practice

1. Hacker is a bad user that registers a domain similar in spelling to the target domain.
2. Hacker loads up the PHP script into it with the content.

// Accordingly, in the same folder is normal image.jpg
// Here you can play with the script extension and name it as superphoto.jpg.
?>
3. User writes an article and embeds the picture in the post:

img src="http://exEmple.com/evilimage.php" alt="image"/>
4. If there is moderation on the site, then an article is sent for moderation.
5. For example, an article turned out good, so it gets on a homepage.
6. Hacker sees his creation on the homepage and removes comments from PHP code, so in response to pictures request from the post, any user will get a window with the authorization in the browser, where can be written in anything, for instance that the site fights off the DDoS attack and could request to re-enter login and password.
7. User does not grasp the meaning of the domain name in the form of authorization and submits username and password.
8. Hacker gets your username and password.

Protection methods

I think there are two methods:

• At the browser level: To bar the authorization window from another website.• At the level of site developers: To copy all remote resources to the hosting.

P.S.

UMumble.com is no exception, because it has the posts with the pictures from other sites on its homepage. So just keep in mind this trick, and always check the domain name that requires the authorization.

There is always a potential risk that while the image is on the homepage, the website that this picture is linked can be broken only for replacing the image for the script.

P.P.S.

I do not think that this is a bug.
This is nothing more than a trick, which is officially allowed protocols HTTP.